If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Instant messenger behavior

So, I'm looking at my Snort logs with a focus on looking for odd after-hours type of file-transfer nastiness, and I keep seeing Yahoo IM logons from the same box at random late-night hours during the night.

I don't *think* anyone's on the box at those hours... ;-)

If someone leaves the IM open, does it periodically re-logon (refresh?) itself? Is this typical behavior for IM, IRC, or any of those? (Yes, I'm aware the 'bot C&C over IRC stuff -- just not sure what's "normal").

The yahoo client will automatically try to log itself back in after 20 seconds if the connection is lost. Either it be by internet connectiong going out for a few seconds and the computer regrabbing a IP addresse to use, or if the user's yahoo account was disconnected via a booter type program.

Other then that if none of those conditions are being met then yahoo will not disconnect and try to reconnect after 20 seconds.

Could there be someone who uses that workstation during the day have a program like VNC running, and they are accessing the computer from home or another location?.

Also if the workstation is doing a file transfer via yahoo then you should be able to grab the other persons IP addresse, as during a file transfer you do a direct connection to the other persons computer and skip the yahoo server completly.

a simple netstat -a {While transfer is taking place } would bring up enough details, and a simple whois would then give you more info.